Pages

A feature of the Linux kernel called namespace isolation [1] definesgroups of separated processes such that each process cannot "see" resources in the other groups. This is a form of lightweight process virtualization used in some container implementations such as LXC.There are currently six namespaces implementations:- mnt: mount points and filesystems isolation- pid: process isolation- net: network stack isolation- ipc: System V IPC isolation- uts: hostname isolation- user: user isolation by means of UIDsIn this post I'll show few examples of how to create network namespaces and use them with Open vSwitch.A network namespace is a separate copy of the network stack - it contains its own routes, network devices and iptables rules. It is defined in include/net/net_namespace.h where each device belongs to only one network namespace. There's always the default network namespace, called the root namespace where all network interfaces are assigned to:

We can use "ip netns exec ns1 command" where command is either the actual command we want to execute or bash, which puts us in the namespace's shell, where we can run commands as usual without the need of prefixing them with "ip netns exec ns1".

As you can see the ns1 namespace only contains the loopback interface in a DOWN state. The same is true for the ns2 network namespace.

To connect the two lets first create a software switch using Open vSwitch:

The commands above created two virtual links in the root namespace, each having two interface on each end - eth1-ns1/veth-ns1 and eth1-ns2/veth-ns2. Think of the eth1-ns1 and veth-ns1 interfaces as two opposite ends of the same pipe. The names are arbitrary.

First lets connect one end of the virtual connections to each name space: